Threat actors are actively exploiting a “controversial” and unpatched vulnerability in an open source artificial intelligence (AI) platform called Anyscale Ray to hijack computing power for illegal cryptocurrency mining, cybersecurity researchers warn.
“The vulnerability allows an attacker to take over a company’s computing power and exfiltrate sensitive data,” Oligo security researchers Avi Lumelsky, Guy Kaplan and Gal Elbaz said in Tuesday’s disclosure.
“This flaw has been actively exploited over the past seven months, affecting industries such as education, cryptocurrency, biopharmaceuticals, and more.”
The activity will continue from September 2023, codenamed shadow thunder Developed by Israeli Application Security Company. It also marks the first time an AI workload has been targeted in the wild due to flaws in the infrastructure supporting AI.
Ray is an open source, fully managed computing framework that enables organizations to build, train, and scale AI and Python workloads. It consists of a core decentralized runtime and a set of artificial intelligence libraries for simplifying machine learning platforms.
It is used by some of the largest companies, including OpenAI, Uber, Spotify, Netflix, LinkedIn, Niantic, and Pinterest, among others.
The security vulnerability involved is CVE-2023-48022 (CVSS score: 9.8), which is a critical missing authentication error that allows remote attackers to execute arbitrary code through the job submission API. Bishop Fox reported this issue, along with two other flaws, in August 2023.
The cybersecurity company said that the lack of authentication controls on two Ray components (dashboard and client) could be exploited by “unauthorized actors to freely submit jobs, delete existing jobs, retrieve sensitive information and implement Remote command execution”.
This allows the operating system to access all nodes in the Ray cluster or attempt to retrieve Ray EC2 execution credentials. Anyscale said in a November 2023 announcement that it does not currently plan to address the issue.
“Ray does not have built-in authentication – this is a long-term design decision based on how Ray’s security boundaries are drawn and is consistent with Ray deployment best practices, although we intend to provide authentication in future releases as part of a defense-in-depth strategy,” ” the company noted.
It also warned in its document that platform providers are responsible for ensuring that Ray runs in an “adequately controlled network environment” and that developers can access the Ray Dashboard in a secure manner.
Oligo said it observed shadow vulnerabilities being exploited to compromise hundreds of Ray GPU clusters, which could have allowed threat actors to obtain large amounts of sensitive credentials and other information from compromised servers.
This includes production repository passwords, SSH private keys, access tokens related to OpenAI, HuggingFace, Slack, and Stripe, the ability to poison models, and increased access to cloud environments from Amazon Web Services, Google Cloud, and Microsoft Azure right.
In many cases, infected instances have been found to be hacked via cryptocurrency miners (such as XMRig, NBMiner, and Zephyr) and reverse shells used for persistent remote access.
The unknown attackers behind ShadowRay also used an open source tool called Interactsh to fly under the radar.
“When an attacker gains access to a Ray production cluster, it’s a jackpot,” the researchers said. “Valuable company data coupled with remote code execution makes it easy to monetize the attack — while remaining in the shadows, Completely undetectable (and with static security tools, undetectable).”
